Guidance on Potential Ransomware Attacks on US Hospitals

Guidance on Potential Ransomware Attacks on US Hospitals

Blog WilmerHale Privacy and Cybersecurity Law

We hope you have read about the reporting on potential ransomware attacks on US hospitals and perhaps other health care providers. If you have not, please review this guidance from the government agencies involved in this investigating this set of attacks. 

Obviously, ensuring that your systems are aggressively protected and monitored in this immediate time frame is of particular importance. You also should consider whether to review your existing backup systems or other alternative means of accessing your critical medical information in advance of an attack (rather than waiting). In addition, please consider the following steps over the course of this situation. 

  • Contact law enforcement if you are attacked – the FBI is involved in these investigations.
  • Pay careful attention to internal efforts to protect your systems and obtain access to this information. This should include consideration of privilege issues in relation to future litigation and/or investigations. 
  • Evaluate the impact of any attacks in terms of generating notices to patients or others, as required by HIPAA and/or state law. Ransomware attacks create particularly complicated questions in connection with breach notification obligations.
  • Implement your incident response plan thoughtfully and efficiently – and make sure that you revise it going forward to incorporate any lessons learned
  • During the event and following it, ensure that you are reviewing what happened and how your systems and policies can be improved. HHS in particular pays close attention to these remediation and improvement efforts when it is conducting investigations under the HIPAA rules. 

Please let us know if we can be helpful in connection with responding to these attacks or addressing any follow-on issues related to them.


More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.